Where there’s smoke, there’s FireWire

Forensic software developer PassWare announced a new version of its eponymous software forensics kit on Tuesday. Already several news sources are writing about how the program can automatically obtain the login password from a locked or sleeping Mac simply by plugging in a USB flash drive containing their software and connecting it to another computer via the FireWire port. FireWire, (also called i.LINK by SONY and known by the name of its standard, IEEE-1394) is, for those unfamiliar with it, a peripheral connection standard similar to USB. Arguably superior, the higher cost and complexity of implementation has restricted it largely to professional use, such as digital media recording and editing, while USB has gone on to become the more popular interface for connecting peripheral devices.

First off, a little background: One of the design features of FireWire, and part of what makes it attractive for professional use, is that it allows for DMA (Direct Memory Access), a technology used in modern computers which allows peripherals to bypass the CPU and directly read from and write to memory. Because the processor does not have to manage the data transfer, higher data rates and lower CPU utilization can be ensured, while leaving the CPU available to perform other functions.

While this form of password theft sounds novel enough to have been picked up by several news sources, notably MSNBC and PC World, is it really something new, or the return of something old?

In 2004, computer security researcher Maximilian Dornseif presented at the PacSec conference on how the FireWire interface on computers could allow access to a computer’s memory. PacSec organizer Dragos Ruiu wrote an advisory on the BugTraq mailing list about the vulnerability as well. The MITRE Corporation think tank, operator of the Common Vulnerabilities and Exposures (CVE) list, assigned this FireWire design error the rather pedestrian ID of CVE-2004-1038: this had gone largely unnoticed and uncommented upon until 2008, when it reared its head again incorporated into an authentication bypass attack on Windows XP and (with some modification) the then-new Windows Vista operating system. In February, 2011, FireWire appeared in passing once more, this time in a malware attack scenario: Ars Technica reported that computer security firm HBGary partnered with defense contractor General Dynamics on a project named “Task B” to install rootkits onto computers by writing them directly into a computer’s memory.

In all these cases, over the past seven years, one constant stands out time and time again: In order for any of these attacks to succeed, the attacker needs physical access to the machine in order to plug a device in via the FireWire port. If an attacker has physical access to a computer, though, they can do anything they want, including steal it.

For both Mac OS X and Windows, the solution to this “vulnerability” is quite simple (strictly speaking, it’s no more a vulnerability than the ability to boot a system from a recovery CD, for example): If your computer is going to be unattended for any length of time in an insecure environment, turn it off and/or turn off automatic login (that way, the password isn’t there in memory to steal). You could also disable FireWire/1394 if you have no devices that use the port (not all systems have a FireWire port, of course). Or, even more simply, don’t leave your computer alone in an unsafe location. While the chance of a password theft or rootkit injection via FireWire is likely quite low, there’s a much higher probability of its being stolen the old-fashioned way.

It's not quite that simple. Some computers *have* to be physically exposed to potential attackers – for example, a computer lab at a University, or a kiosk machine in a library. These machines aren't generally vulnerable to theft either because there are people watching (but probably not watching closely enough to notice someone plugging in a firewire device) or because they have been wired into an alarm system.
It should also be noted that turning the computer off won't actually help against "evil maid" attacks unless it is encrypted and is also configured to require the encryption password at boot.

Aryeh Goretsky

Hello Harry,

Those are very good examples. I normally expect to see public-facing computers like those in a lab or library locked down physically as well as software-wise, and kiosk computers typically only have their KVM components exposed from their housing, as those are intended to be theft and tamper resistant. Boot loader attacks are always a possibility, which is why it is a good idea to block access to points of ingress for bootable media, as well as lock down such options in the BIOS firmware. Because there are multiple ways of attacking computers, from the hardware on up, it is important to look at defense-in-depth measures, including the physical aspects.